Certified in Risk and Information Systems Control (CRISC) — Question 742

Which of the following activities should be performed FIRST when establishing IT risk management processes?

Answer options

• A. Conduct a high-level risk assessment based on the nature of business.
• B. Collect data of past incidents and lessons learned.
• C. Identify the risk appetite of the organization.
• D. Assess the goals and culture of the organization.

Correct answer: D

Explanation

The correct answer is D, as understanding the organization's goals and culture is essential to effectively align risk management processes with its strategic objectives. Options A, B, and C, while important, should come after establishing a clear understanding of the organization's context and priorities.